parse-server is vulnerable to authorization bypass. The vulnerability exists in the GraphQL viewer where an authenticated user can bypass the read security restrictions, and all objects linked through relation, placed on his User object.
github.com/advisories/GHSA-236h-rqv8-8q73
github.com/parse-community/parse-server/blob/master/CHANGELOG.md#430
github.com/parse-community/parse-server/commit/78239ac9071167fdf243c55ae4bc9a2c0b0d89aa
github.com/parse-community/parse-server/pull/5745
github.com/parse-community/parse-server/security/advisories/GHSA-236h-rqv8-8q73